I just noticed that the message of Lucene's ParseException contains the
user's input that Lucene is failing to parse. The user input is not
sanitize in any way. My appserver is showing the exception message in both
the body and the HTTP status line of the response. So even if I set up
custom error pages the user input are still being send un-sanitized in the
response. I don't know if this is the behavior of other appserver or not.
I don't think I can sanitize the user input before sending it to Solr/Lucene
since the content of my index contains special characters.
I am thinking that we can change the behavior of QueryComponent. Since Solr
is a webapp, I don't think it is unreasonable to have Solr be responsible
for sanitizing exception messages. This is the current QueryComponent code:
} catch (ParseException e) {
throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, e);
}
Instead of wrapping the ParseException in the SolrException, we can simply
sanitize the message of the ParseException and use that to create the
SolrException.
I can submit a patch for this.
Any comments/suggestions?
Bill
